Thanks, I got it working in the end though. I realize a Yubikey isn't terribly performant but for my particular use case I don't expect that to be a problem. Cheers, Erikby erik - Nginx Mailing List - English
I figured it out and thought I'd post back for anyone else looking at this post in the future. My problem had nothing to do with the PKCS#11 engine. It persisted when I pointed proxy_ssl_certificate_key directly at the non-encrypted, password-less rsa key file. Instead, the problem was SNI. By default, Nginx uses the inbound request's Host header as the upstream SNI name. Since I was hittingby erik - Nginx Mailing List - English
According to the documentation (http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_ssl_certificate_key), proxy_ssl_certificate_key supports syntax for ssl-engine specific backends: > The value engine:name:id can be specified instead of the file (1.7.9), which loads a secret key with a specified id from > the OpenSSL engine name. which implies that at least for the privateby erik - Nginx Mailing List - English
Specifically, I'd like to know if the proxy_ssl_certificate and proxy_ssl_certificate_key directives can support RFC-7512 PKCS#11 URIs, or whether they're hardwired to be just local file paths. With my private key in hardware, I'm looking for the ability to point nginx to something like: location /upstream { proxy_pass https://backend.example.com; proxy_ssl_certificaby erik - Nginx Mailing List - English
Hi there, I'm building a reverse proxy that needs to use TLS client certificates for authentication to its proxy_pass location. The documentation at https://docs.nginx.com/nginx/admin-guide/security-controls/securing-http-traffic-upstream/ is pretty clear in how to point Nginx to the signed certificate and private key file, but my cert and key are in hardware (YubiKey in PIV mode). I haveby erik - Nginx Mailing List - English